redirect telnet and ssh

redirect telnet and ssh

Post by Steve Conra » Sat, 28 Jun 2003 08:24:41



I am working on a OBSD 3.3 firewall router with 3 nics.  I have a
machine to put in the DMZ that needs to be accessed from the internet
via ssh and telnet.  I have tried several sets of rules to redirect
traffic straight through the obsd box and into the dmz but I always end
up on the firewall.  I simplified the rules alot and got it to work

Quote:> int_if = "fxp0"
> ext_if = "fxp1"

> rdr on $ext_if proto tcp from any to any port 22 -> 10.10.10.20 port 22
> rdr on $int_if proto tcp from any to any port 22 -> 10.10.10.20 port 22

> pass in all
> pass out all

but when I put the rdr in my regular rules it doesnt.

Quote:> #macros
> int_if = "fxp0"
> ext_if = "fxp1"
> dmz_if = "fxp2"

> tcp_services = "{ 22, 113 }"
> icmp_types = "{ 8, 11 }"

> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 }"

> #options
> set block-policy return
> set loginterface $ext_if

> #scrub
> scrub in all

> # nat/rdr
> nat on $ext_if from $int_if:network to any -> $ext_if
> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
>     port 8021
> rdr on $ext_if from any to $dmz_if port 22 -> port 22
> rdr on $int_if from any to $dmz_if port 22 -> port 22

> #filter rules
> block all

> pass quick on lo0 all

> block drop in  quick on $ext_if from $priv_nets to any
> block drop out quick on $ext_if from any to $priv_nets

> pass in on $ext_if inet proto tcp from any to $ext_if \
>     port $tcp_services flags S/SA keep state

> pass in inet proto icmp all icmp-type $icmp_types keep state

> pass in on  $int_if from $int_if:network to any keep state
> pass out on $int_if from any to $int_if:network keep state
> #above rule would allow firewall to talk to internal network, ie ping etc

> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state

This is basically the example from OBSD.org

Can someone tell me where I am going wrong?

Thanks,

Stan

 
 
 

redirect telnet and ssh

Post by Konfuziu » Sat, 28 Jun 2003 15:28:13


Hi Steve,

You need to know, that the packets are first translated, then filtered.


>> #macros
>> int_if = "fxp0"
>> ext_if = "fxp1"
>> dmz_if = "fxp2"

>> tcp_services = "{ 22, 113 }"
>> icmp_types = "{ 8, 11 }"

>> priv_nets = "{ 127.0.0.0/8, 192.168.0.0/16, 172.16.0.0/12,
>> 10.0.0.0/8 }"

>> #options
>> set block-policy return
>> set loginterface $ext_if

>> #scrub
>> scrub in all

>> # nat/rdr
>> nat on $ext_if from $int_if:network to any -> $ext_if
>> rdr on $int_if proto tcp from any to any port 21 -> 127.0.0.1 \
>>     port 8021
>> rdr on $ext_if from any to $dmz_if port 22 -> port 22
>> rdr on $int_if from any to $dmz_if port 22 -> port 22

>> #filter rules
>> block all

>> pass quick on lo0 all

>> block drop in  quick on $ext_if from $priv_nets to any
>> block drop out quick on $ext_if from any to $priv_nets

This rule blocks all traffic redirected to your DMZ.

Quote:>> pass in on $ext_if inet proto tcp from any to $ext_if \
>>     port $tcp_services flags S/SA keep state

This rule does not even match the problematic packets.

Quote:>> pass in inet proto icmp all icmp-type $icmp_types keep state

>> pass in on  $int_if from $int_if:network to any keep state
>> pass out on $int_if from any to $int_if:network keep state
>> #above rule would allow firewall to talk to internal network, ie
>> ping etc

>> pass out on $ext_if proto tcp all modulate state flags S/SA
>> pass out on $ext_if proto { udp, icmp } all keep state

> This is basically the example from OBSD.org

> Can someone tell me where I am going wrong?

You are blocking the incoming translated packets, because they are directed
to internal subnets. Additionally you do not even have a rule in your
ruleset, that would allow traffic to your DMZ.

HTH Konfu

 
 
 

1. Newbie question: can't log ssh telnet, or regular telnet into FSD

So I decided to format my system, start fresh with an upgraded FSD...
4.2 I believe.  Have everything all nicely set up with my router like
before... can telnet to it from my main machine and can ftp to it.... so
I figured that everything is fine....leave my place and at work, I can't
ftp or telnet to it!  Someone give me some hints of what I need to do.  
I have gone through my rc.firewall, and changed the values to machine my
intranet.... hosts etc etc.  But I know there is this little thing I am
forgetting so I need some hints.

Thanks ahead.

2. Can't find Redhat Linux 6.2 Deluxe

3. Matrox Mystique ands X.

4. Screen savers won't initialize with KDE 2.2

5. can ssh-agent work between ssh-2.3 and ssh-3.5

6. FreeBSD ISO ?

7. x redirect to ssh under debian????

8. To use temporary files or not to use temporary files?

9. redirecting SSH

10. Help redirecting SSH ports

11. x redirect to ssh under debian?

12. help redirecting I/O through a telnet port

13. how to redirect serial console to telnet session?